Update of „Project Lockdown“ released

Arup Nanda has released an update for „Project Lockdown“. This new version covers Oracle 11g (R1/R2) as well.

I found a few minor things which are not 100% correct but in general it  is a good introduction.

But there is something I never liked. It’s the recommendation how to check the Oracle database for weak passwords (according to my experience) this is the biggest problem in nearly every organization.

Just using dba_users_with_defpwd or comparing password hashes is not sufficient and misleading (password=username not found). Oracle 11g is using salted hashes and this concept does not work with the view dba_users_with_defpwd.

Why not using a real password checker like woraauthbf, ops_sse or Repscan? They check all the passwords independent from the database version.

My recommendation for the action plan:
Use a real password checker instead of only comparing password hashes

Comments are closed.